OPENSSL-1.0.1G のインストール & 自己認証局

先日、OpenSSLに発覚した「Heartbleed」と呼ばれる重大な脆弱性に対応する為、OpenSSL-1.0.1f からOpenSSL-1.0.1g へUPDATしました。

>ダウンロード&Make場所へ移動
# cd /usr/local/src/

>最新OpenSSLをダウンロード
# wget https://www.openssl.org/source/openssl-1.0.1g.tar.gz

>解凍
# tar -xzf openssl-1.0.1g.tar.gz

>移動
# cd ./openssl-1.0.1g

>config, make, make install
# ./config –prefix=/usr –openssldir=/etc/ssl –libdir=lib shared zlib-dynamic
# make
# make install

インストール後のバージョン確認
# openssl
OpenSSL> version
OpenSSL 1.0.1g 7 Apr 2014

※makeでエラー その対応
c_zlib.c: In function ‘bio_zlib_ctrl’:
c_zlib.c:725: error: ‘BIO_ZLIB_CTX’ has no member named ‘ocount’
c_zlib.c:726: error: ‘BIO_ZLIB_CTX’ has no member named ‘odone’
c_zlib.c:765: error: ‘BIO_ZLIB_CTX’ has no member named ‘obuf’
c_zlib.c:767: error: ‘BIO_ZLIB_CTX’ has no member named ‘obuf’
c_zlib.c:768: error: ‘BIO_ZLIB_CTX’ has no member named ‘obuf’
c_zlib.c:770: error: ‘BIO_ZLIB_CTX’ has no member named ‘obufsize’
make[2]: *** [c_zlib.o] エラー 1
make[2]: ディレクトリ `/usr/local/src/openssl/openssl-1.0.1g/crypto/comp’ から出ます
make[1]: *** [subdirs] エラー 1
make[1]: ディレクトリ `/usr/local/src/openssl/openssl-1.0.1g/crypto’ から出ます
make: *** [build_crypto] エラー 1

# yum install zlib-* で解決
installing:
zlib-devel x86_64 1.2.3-29.el6 base 44 k
zlib-static x86_64 1.2.3-29.el6 base 52 k

自己認証局

# cd /etc/pki/tls
# cp -p openssl.cnf openssl.cnf.org  (デフォルトのファイルをコピーしておく)
※openssl.cnf ファイルは2つ存在しており多少違いがあります。
”./CA -newca”の実行時にopenssl-1.0.1fの時には、発生しなかったエラーが発生します。
2つのバックアップをとり、 /etc/pki/tls/openssl.cnf を以下の通り編集し
/etc/ssl/openssl.cnf にコピーして対応しました

>openssl.cnf の修正
# /etc/pki/tls/openssl.cnf
[ req ]
default_bits = 2048

[ req_distinguished_name ]
countryName_default = JP

[ usr_cert ]
basicConstraints=CA:TRUE (CA証明書の発行)
nsCertType = server (サーバ証明書の作成)   ←コメント解除

[ v3_ca ]
nsCertType = sslCA, emailCA      ←コメント解除

> CAスクリプトの修正
# cd /etc/pki/tls/misc
# cp -p CA CA.org
# vi CA
以下の有効期間を任意の日数に変更
if [ -z “$DAYS” ] ; then DAYS=”-days 3650″ ; fi # 10 year
CADAYS=”-days 7300″ # 20 years

>デフォルトのフォルダを待避して空ディレクトリを作成
# cd ../../
# mv CA CA.org
# mkdir CA
※失敗した場合は、CAフォルダを再作成。

> CA作成スクリプトを実行
# cd ./tls/misc
# ./CA -newca
CA certificate filename (or enter to create)
(ファイル名は空のまま[Enter])
Making CA certificate …
Generating a 2048 bit RSA private key
….+++
………………………………..+++
writing new private key to ‘/etc/pki/CA/private/./cakey.pem’
Enter PEM pass phrase: (パスフレーズを入力)
Verifying – Enter PEM pass phrase: (パスフレーズを入力)
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [JP]: JP (国名)
State or Province Name (full name) []:XXXXXX(都道府県)
Locality Name (eg, city) [Default City]:XXXXXXX(市区町村)
Organization Name (eg, company) [Default Company Ltd]:XXXX(組織)
Organizational Unit Name (eg, section) []:(部門)
Common Name (eg, your name or your server’s hostname) []:*.XXXXX.XX (ホスト名等)⇒ ワイルドカード指定
Email Address []:(何も入力せず[Enter])

Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:(何も入力せず[Enter])
An optional company name []:(何も入力せず[Enter])
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /etc/pki/CA/private/./cakey.pem:(最初に入力したパスフレーズ)
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 9646386112852737689 (0x85ded90f96d93e99)
Validity
Not Before: Apr 4 11:06:24 2014 GMT
Not After : Mar 30 11:06:24 2034 GMT
Subject:
countryName = JP
stateOrProvinceName = XXXXXX
organizationName = XXXX
commonName = *.XXX.XXX ⇒ ワイルドカード指定 
X509v3 extensions:
X509v3 Subject Key Identifier:
C6:FD:32:42:E7:51:EF:4C:1B:AC:F8:B0:94:D1:6D:B4:DA:AA:7D:47
X509v3 Authority Key Identifier:
keyid:C6:FD:32:42:E7:51:EF:4C:1B:AC:F8:B0:94:D1:6D:B4:DA:AA:7D:47

X509v3 Basic Constraints:
CA:TRUE
Netscape Cert Type:
SSL CA, S/MIME CA
Certificate is to be certified until Mar 30 11:06:24 2034 GMT (7300 days)

Write out database with 1 new entries
Data Base Updated

>ブラウザ用のCA証明書を作成
# cd ../../CA/private/
# chmod 0600 cakey.pem
# openssl x509 -inform PEM -outform DER -in ../cacert.pem -out ../cacert.der

>”cacert.pem”と”cacert.der”があることを確認
# ls -l /etc/pki/CA

>証明書要求(CSR)を作成
# cd /tmp (適当なディレクトリへ移動するか新規作成)
# openssl md5 * > rand.dat (乱数ファイルを作成)
# openssl genrsa -rand rand.dat -des3 2048 > key.pem (秘密鍵を作成)
48 semi-random bytes loaded
Generating RSA private key, 2048 bit long modulus
………………………………………………………………………………………+++
…………………..+++
e is 65537 (0×10001)
Enter pass phrase:(パスフレーズを入力)
Verifying – Enter pass phrase:(パスフレーズを入力)

# openssl req -new -key key.pem -out server.csr  (CSRを作成)
Enter pass phrase for key.pem:(使用した秘密鍵のパスフレーズを入力)
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [JP]: JP (国名)
State or Province Name (full name) []:XXXXXX(都道府県)
Locality Name (eg, city) [Default City]:XXXXXXX(市区町村)
Organization Name (eg, company) [Default Company Ltd]:XXXX(組織)
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server’s hostname) []:*.XXXXX.XX (ホスト名等)⇒ ワイルドカード指定
Email Address []:(何も入力せず[Enter])

Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:(何も入力せず[Enter])
An optional company name []:(何も入力せず[Enter])

>”key.pem”と”server.csr”ができていることを確認
# ls -l

>自己認証局で署名
# cd /etc/pki/tls/misc/
# openssl ca -out /var/tmp/cert.pem -infiles /var/tmp/server.csr
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /etc/pki/CA/private/cakey.pem::(パスフレーズを入力)
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 9646386112852737690 (0x85ded90f96d93e9a)
Validity
Not Before: Apr 4 11:39:25 2014 GMT
Not After : Apr 4 11:39:25 2015 GMT
Subject:
countryName = JP
stateOrProvinceName = Kanagawa
organizationName = Axel
commonName = *.ecoya.jp
X509v3 extensions:
X509v3 Basic Constraints:
CA:TRUE
Netscape Cert Type:
SSL Server
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
80:17:82:6F:AE:A1:9E:CC:A4:F2:D0:C0:E5:C3:42:6C:8B:4A:7E:AC
X509v3 Authority Key Identifier:
keyid:C6:FD:32:42:E7:51:EF:4C:1B:AC:F8:B0:94:D1:6D:B4:DA:AA:7D:47

Certificate is to be certified until Apr 4 11:39:25 2015 GMT (365 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

> ls -l /tmp
“cert.pem”ができていることを確認
※”cert.pem”と”key.pem”をペアで使用

>補足1
サーバ証明書と秘密鍵を使用する時に、Webサーバ起動時に秘密鍵のパスフレーズ入力しない設定
# cd /tmp
# openssl rsa -in key.pem -out key.pem.nopassword
nter pass phrase for key.pem:(パスフレーズを入力)
writing RSA key
※作成した”key.pem.nopassword”を”key.pem”の代わりに使用する

>補足2
サーバ証明書をWindows(IIS等)で使用するために変換する
# openssl pkcs12 -export -in cert.pem -inkey key.pem -out cert.p12
※ここで作成された”cert.p12″をMMCの証明書スナップインでインポート
(合わせて[信頼されたルート証明機関]にはC証明書”cacert.pem”をインポート)

>補足3
署名時にエラーが出る場合
# openssl ca -out /var/tmp/cert.pem -infiles /var/tmp/server.csr
~ 省略 ~
Sign the certificate? [y/n]:y
failed to update database
TXT_DB error number 2
※このエラーが出る場合、以前発行した証明要求の失効処理する

# openssl ca -revoke /etc/pki/CA/newcerts/85DED90F96D93E99.pem
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /etc/pki/CA/private/cakey.pem:(パスフレーズを入力)
Revoking Certificate 85DED90F96D93E99.
Data Base Updated

補足4
“openssl ciphers cipherlist ‘暗号スイートのリスト’ -v”コマンドで利用できる暗号スイートの一覧を表示
# openssl ciphers cipherlist ‘HIGH:!aNULL:!MD5′ -v
ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(256) Mac=AEAD
ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(256) Mac=AEAD
ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(256) Mac=SHA384
ECDHE-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AES(256) Mac=SHA384
ECDHE-RSA-AES256-SHA SSLv3 Kx=ECDH Au=RSA Enc=AES(256) Mac=SHA1
ECDHE-ECDSA-AES256-SHA SSLv3 Kx=ECDH Au=ECDSA Enc=AES(256) Mac=SHA1
SRP-DSS-AES-256-CBC-SHA SSLv3 Kx=SRP Au=DSS Enc=AES(256) Mac=SHA1
SRP-RSA-AES-256-CBC-SHA SSLv3 Kx=SRP Au=RSA Enc=AES(256) Mac=SHA1
DHE-DSS-AES256-GCM-SHA384 TLSv1.2 Kx=DH Au=DSS Enc=AESGCM(256) Mac=AEAD
DHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=DH Au=RSA Enc=AESGCM(256) Mac=AEAD
DHE-RSA-AES256-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AES(256) Mac=SHA256
DHE-DSS-AES256-SHA256 TLSv1.2 Kx=DH Au=DSS Enc=AES(256) Mac=SHA256
DHE-RSA-AES256-SHA SSLv3 Kx=DH Au=RSA Enc=AES(256) Mac=SHA1
DHE-DSS-AES256-SHA SSLv3 Kx=DH Au=DSS Enc=AES(256) Mac=SHA1
DHE-RSA-CAMELLIA256-SHA SSLv3 Kx=DH Au=RSA Enc=Camellia(256) Mac=SHA1
DHE-DSS-CAMELLIA256-SHA SSLv3 Kx=DH Au=DSS Enc=Camellia(256) Mac=SHA1
ECDH-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AESGCM(256) Mac=AEAD
ECDH-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AESGCM(256) Mac=AEAD
ECDH-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AES(256) Mac=SHA384
ECDH-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AES(256) Mac=SHA384
ECDH-RSA-AES256-SHA SSLv3 Kx=ECDH/RSA Au=ECDH Enc=AES(256) Mac=SHA1
ECDH-ECDSA-AES256-SHA SSLv3 Kx=ECDH/ECDSA Au=ECDH Enc=AES(256) Mac=SHA1
AES256-GCM-SHA384 TLSv1.2 Kx=RSA Au=RSA Enc=AESGCM(256) Mac=AEAD
AES256-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA256
AES256-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1
CAMELLIA256-SHA SSLv3 Kx=RSA Au=RSA Enc=Camellia(256) Mac=SHA1
PSK-AES256-CBC-SHA SSLv3 Kx=PSK Au=PSK Enc=AES(256) Mac=SHA1
ECDHE-RSA-DES-CBC3-SHA SSLv3 Kx=ECDH Au=RSA Enc=3DES(168) Mac=SHA1
ECDHE-ECDSA-DES-CBC3-SHA SSLv3 Kx=ECDH Au=ECDSA Enc=3DES(168) Mac=SHA1
SRP-DSS-3DES-EDE-CBC-SHA SSLv3 Kx=SRP Au=DSS Enc=3DES(168) Mac=SHA1
SRP-RSA-3DES-EDE-CBC-SHA SSLv3 Kx=SRP Au=RSA Enc=3DES(168) Mac=SHA1
EDH-RSA-DES-CBC3-SHA SSLv3 Kx=DH Au=RSA Enc=3DES(168) Mac=SHA1
EDH-DSS-DES-CBC3-SHA SSLv3 Kx=DH Au=DSS Enc=3DES(168) Mac=SHA1
ECDH-RSA-DES-CBC3-SHA SSLv3 Kx=ECDH/RSA Au=ECDH Enc=3DES(168) Mac=SHA1
ECDH-ECDSA-DES-CBC3-SHA SSLv3 Kx=ECDH/ECDSA Au=ECDH Enc=3DES(168) Mac=SHA1
DES-CBC3-SHA SSLv3 Kx=RSA Au=RSA Enc=3DES(168) Mac=SHA1
PSK-3DES-EDE-CBC-SHA SSLv3 Kx=PSK Au=PSK Enc=3DES(168) Mac=SHA1
ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(128) Mac=AEAD
ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(128) Mac=AEAD
ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(128) Mac=SHA256
ECDHE-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AES(128) Mac=SHA256
ECDHE-RSA-AES128-SHA SSLv3 Kx=ECDH Au=RSA Enc=AES(128) Mac=SHA1
ECDHE-ECDSA-AES128-SHA SSLv3 Kx=ECDH Au=ECDSA Enc=AES(128) Mac=SHA1
SRP-DSS-AES-128-CBC-SHA SSLv3 Kx=SRP Au=DSS Enc=AES(128) Mac=SHA1
SRP-RSA-AES-128-CBC-SHA SSLv3 Kx=SRP Au=RSA Enc=AES(128) Mac=SHA1
DHE-DSS-AES128-GCM-SHA256 TLSv1.2 Kx=DH Au=DSS Enc=AESGCM(128) Mac=AEAD
DHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AESGCM(128) Mac=AEAD
DHE-RSA-AES128-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AES(128) Mac=SHA256
DHE-DSS-AES128-SHA256 TLSv1.2 Kx=DH Au=DSS Enc=AES(128) Mac=SHA256
DHE-RSA-AES128-SHA SSLv3 Kx=DH Au=RSA Enc=AES(128) Mac=SHA1
DHE-DSS-AES128-SHA SSLv3 Kx=DH Au=DSS Enc=AES(128) Mac=SHA1
DHE-RSA-CAMELLIA128-SHA SSLv3 Kx=DH Au=RSA Enc=Camellia(128) Mac=SHA1
DHE-DSS-CAMELLIA128-SHA SSLv3 Kx=DH Au=DSS Enc=Camellia(128) Mac=SHA1
ECDH-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AESGCM(128) Mac=AEAD
ECDH-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AESGCM(128) Mac=AEAD
ECDH-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AES(128) Mac=SHA256
ECDH-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AES(128) Mac=SHA256
ECDH-RSA-AES128-SHA SSLv3 Kx=ECDH/RSA Au=ECDH Enc=AES(128) Mac=SHA1
ECDH-ECDSA-AES128-SHA SSLv3 Kx=ECDH/ECDSA Au=ECDH Enc=AES(128) Mac=SHA1
AES128-GCM-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AESGCM(128) Mac=AEAD
AES128-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA256
AES128-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA1
CAMELLIA128-SHA SSLv3 Kx=RSA Au=RSA Enc=Camellia(128) Mac=SHA1
PSK-AES128-CBC-SHA SSLv3 Kx=PSK Au=PSK Enc=AES(128) Mac=SHA1

コメントを残す

メールアドレスが公開されることはありません。 * が付いている欄は必須項目です

次のHTML タグと属性が使えます: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>